Over the past year, there has been a significant shift in enterprise security. Organizations are moving faster than we’ve seen before. Not out of panic – out of recognition for the threat posed by growing technologies such as AI. According to recent research there has been a 63% growth in phishing-resistant authentication.
Furthermore, the WEF Global Security Outlook for 2026 revealed that the share of organizations assessing the security of their AI tools has nearly doubled from 37% in 2025 to 64% in 2026. This represents a market-wide realization that stronger security is business critical.
Chief Security Officer for EMEA at Okta.
In 2026, organizations must build on existing security practices and embrace phishing-resistant authentication to deliver both robust protection and seamless user experience.
MFA got us here, but we must go further
Let’s not dismiss MFA – it’s been instrumental in keeping organizations safe. Okta’s latest data shows 70% MFA adoption across the industry, an all-time high. Within EMEA specifically, adoption has steadily increased with 69% of organizations having implemented MFA into their workforce over the past three years.
But, that 70% adoption also means that around 30% of users remain unprotected. More critically, attacks getting through aren’t the brute-force attempts that MFA was designed to stop. Those vectors have been largely neutralized. The problem we’re facing now is fundamentally different.
Last year, we observed a clear pattern emerging across multiple organizations. Attackers stopped going after passwords and MFA directly. Instead, they impersonated employees and called support teams.
They used sophisticated social engineering to reset credentials and exploited human touchpoints in recovery processes – the exact places where MFA doesn’t apply.
This represents the security landscape we’re operating in now. The problem isn’t just stopping malicious code or brute-force attempts. It’s stopping humans from being socially engineered into giving attackers a backdoor. And MFA, for all its strengths, simply doesn’t solve that problem.
Organizations that recognize this aren’t abandoning MFA – they’re layering phishing-resistant methods on top of it, particularly for critical systems.
The real shift is already happening
Organizations are actively adopting phishing-resistant methods such as WebAuthn, FIDO2 keys, FastPass, Yubikeys and smart cards. These aren’t niche solutions anymore – they’re becoming mainstream enterprise authentication methods.
To understand why this shift matters, consider the scale of the problem. 84% of security breaches on businesses are a result of a phishing attack according to the UK Gov, with over 7.5 million attacks in 2024 alone.
When the financial and reputational impact is that substantial, investing in phishing-resistant methods becomes a business imperative.
What makes these methods fundamentally different is their technical design. They physically cannot be phished because the device or authenticator itself verifies it’s communicating with the legitimate service.
A user can be tricked into handing over a password or an SMS code, but they cannot be tricked into handing over a valid biometric or hardware key that proves its origin.
Our research revealed that phishing-resistant authenticators saw a 63% increase in adoption over the past year. Meanwhile, SMS usage – one of the most vulnerable methods – fell from 17.5% to 15.3%. Organizations are voting with their actions, moving away from compromised methods toward provably more secure alternatives.
The overlooked simplicity of phishing-resistant methods
Of course, there is skepticism. Doesn’t implementing these methods add complexity for users?
The data tells a different story. Phishing-resistant methods are both more secure and more usable than traditional approaches. Users aren’t fumbling with SMS codes. They’re using biometrics or hardware keys that work intuitively.
The user experience is smoother, and there's a measurable operational benefit – fewer password reset tickets and faster access recovery. That’s friction actually decreasing.
Passwords continue to have the highest adoption rate at 93%, showing the entrenched nature of legacy authentication. But the meaningful growth in phishing-resistant methods suggests a genuine shift in thinking. Organizations are gradually transitioning to better approaches.
In January 2025, 7% of enterprise users were signing in without passwords at all. That represents enterprise-scale passwordless authentication in real, complex environments. It’s not a pilot. It’s achievable at scale.
Understanding the implementation reality
Implementing phishing-resistant authentication across a large organization is genuinely challenging. You’re managing legacy systems, coordinating integration challenges, navigating organizational change management, and managing hardware costs. These are legitimate obstacles.
However, the cost of inaction is higher. Every quarter you delay is another quarter where your organization remains exposed to attacks that are already happening at scale.
Where to actually start
Stop thinking about authentication as a checkbox. Reframe it as a business continuity problem. Which systems, if compromised, would cause maximum disruption? Your administrative accounts. Your financial systems. Your core data repositories. These are where phishing-resistant authentication should be implemented first.
Organizations making progress here aren’t trying to go entirely passwordless overnight. They’re being strategically methodical – prioritizing by risk, measuring progress by business unit, and quantifying operational benefits.
The competitive advantage
In EMEA, security leaders are elevating authentication to a board-level risk metric. That positive shift will drive greater investment and innovation. MFA provided safety. Phishing-resistant authentication provides resilience for an evolved threat landscape.
To truly create a secure future, we must overturn the notion that better security slows users - those who first recognize this will become early adopters of phishing-resistant techniques, gaining the competitive edge.
The competitive advantage belongs to organizations that move forward intentionally now. Your board is paying attention. Your users are ready. The solutions exist and are proven. The only question remaining is how quickly your organization will act.
We've featured the best encryption software.
This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here [link to https://www.techradar.com/news/submit-your-story-to-techradar-pro
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.